A Blockchain-Based Federated Forest for SDN-Enabled In-Vehicle Network Intrusion Detection System

More Info
expand_more

Abstract

In-vehicle communication systems are usually managed by controller area networks (CAN). By broadcasting packets to their bus, the CAN facilitates the interaction between Electronic Control Units (ECU) that coordinate, monitor and control internal vehicle components. With no authentication mechanism for identifying the legitimacy and source of packets, CAN are vulnerable to cyber-attacks. An Intrusion Detection System (IDS) can detect attacks on CAN and machine learning can be used to create the models for the IDSs to detect non-linear attack patterns. However, car manufacturers and owners might want to keep the sensitive information required for training the models confidential. Therefore, we proposed a Blockchain-based Federated Forest Software-Defined Networking (SDN)-enabled IDS (BFF-IDS) to address the problem of data sharing the sensitive CAN data. To ensure scalability, we used InterPlanetary File System (IPFS) to host the models, and the blockchain is designed to store only a hash of the model and a pointer to its location. The SDN provides the dynamic routing of packets and model exchanges. We used Federated Learning (FL) to create a random forest model. Individuals provide partially trained models, allowing them to keep the underlying data confidential. Using Fourier transform, we decomposed the CAN IDs cycle from CAN bus traffic in the frequency domain for better generalization in multiclass detection of attacks. Multiple statistical and entropy features were extracted to handle the high complexity and non-linearity in CAN bus traffic. The proposed system allows manufacturers and car owners to contribute to the training of the models, as their sensitive data is protected. By storing hashes of the models on a blockchain, the risk of adversaries poisoning the models is reduced and a single point of failure is avoided. We evaluated the proposed system by conducting experiments on a testbed. We found that the proposed system has efficient use of memory and CPU resources and that the detection rate of closely related attacks was high. We recorded the highest model attack detection rate of about 0.981.